6b6f98691ad3c5c01e11d627be9978d9df562c33b65ff0715426cdfd0f212f19

General

Target

Bootstrapper.exe
Size

923KB
MD5

343bb17960dc5c071314d0a44473ba64
SHA1

4eaa02287ba44b57ab159f8366d1abc45c8d7ba5
SHA256

6b6f98691ad3c5c01e11d627be9978d9df562c33b65ff0715426cdfd0f212f19
SHA512

7f145aeee8c73066d81ab0a5a798191495cd21f42c310b94df6c29524ff5fc12875f93afcdb888057497854a82e85822c072050abb4bc8b639b746c7641d5b8f
SSDEEP

12288:6/2DLTG5cGueGAZlyW9NRLKeDdWTdInZKgAOw/0u6b084sxE3jjVjmg+sjrYjHd1:ks9RwpNR9BZdLw/0PjvyjjhyHq

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 2 IoCs

pid	Process
5004	Bootstrapper.exe
2528	Bootstrapper.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 4860	5004	Bootstrapper.exe	87
PID 2528 set thread context of 4488	2528	Bootstrapper.exe	108

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	MSBuild.exe
4860	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4860	MSBuild.exe
Token: SeSecurityPrivilege	4860	MSBuild.exe
Token: SeSecurityPrivilege	4860	MSBuild.exe
Token: SeSecurityPrivilege	4860	MSBuild.exe
Token: SeSecurityPrivilege	4860	MSBuild.exe
Token: SeDebugPrivilege	4860	MSBuild.exe
Token: SeBackupPrivilege	4488	MSBuild.exe
Token: SeSecurityPrivilege	4488	MSBuild.exe
Token: SeSecurityPrivilege	4488	MSBuild.exe
Token: SeSecurityPrivilege	4488	MSBuild.exe
Token: SeSecurityPrivilege	4488	MSBuild.exe
Token: SeDebugPrivilege	4488	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 5004 wrote to memory of 4860	5004	Bootstrapper.exe	87
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108
PID 2528 wrote to memory of 4488	2528	Bootstrapper.exe	108

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bootstrapper.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
1.2MB

MD5
29aabd72d8c026566f2b537e14ac2122

SHA1
d71f874e88fa097853d618ff2f59a1c427d81c2c

SHA256
482ded29fe68b2a68359aae1bd7ef4d434687d5c4058d2374cc63a38813f43cc

SHA512
0c2297c86e6d42f134ee2a9ed03f1cc870bd841dab3df4786644e894252d876df2a38b18c66943755957147a17e1e41922581f211c6aab98dfc3032254e96b9c

Download Submit
memory/4488-43-0x0000000008B50000-0x0000000008B9C000-memory.dmp

Filesize
304KB

Download
memory/4860-26-0x0000000008A50000-0x0000000008AB6000-memory.dmp

Filesize
408KB

Download
memory/4860-21-0x0000000007B90000-0x0000000007BCC000-memory.dmp

Filesize
240KB

Download
memory/4860-9-0x0000000000700000-0x00000000007FA000-memory.dmp

Filesize
1000KB

Download
memory/4860-32-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4860-14-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/4860-15-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4860-16-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/4860-17-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

Filesize
40KB

Download
memory/4860-18-0x0000000008080000-0x0000000008698000-memory.dmp

Filesize
6.1MB

Download
memory/4860-19-0x0000000007BF0000-0x0000000007CFA000-memory.dmp

Filesize
1.0MB

Download
memory/4860-20-0x0000000007B30000-0x0000000007B42000-memory.dmp

Filesize
72KB

Download
memory/4860-13-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4860-22-0x0000000007D00000-0x0000000007D4C000-memory.dmp

Filesize
304KB

Download
memory/4860-23-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4860-30-0x0000000009EC0000-0x000000000A3EC000-memory.dmp

Filesize
5.2MB

Download
memory/4860-27-0x0000000008EC0000-0x0000000008F36000-memory.dmp

Filesize
472KB

Download
memory/4860-28-0x0000000008E80000-0x0000000008E9E000-memory.dmp

Filesize
120KB

Download
memory/4860-29-0x0000000009730000-0x00000000098F2000-memory.dmp

Filesize
1.8MB

Download
memory/5004-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/5004-11-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5004-12-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5004-2-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5004-1-0x0000000000B90000-0x0000000000C7E000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing